def Print(self, indent=""):
if self.KerberosNewerKeys != None:
print "{0}Kerberos newer keys".format(indent)
self.KerberosNewerKeys.Print(indent + " ")
if self.KerberosKeys != None:
print "{0}Kerberos keys".format(indent)
self.KerberosKeys.Print(indent + " ")
if self.WDigestHashes != None:
print "{0}WDigest hashes".format(indent)
for h in self.WDigestHashes:
print "{0} {1}".format(indent, hexlify(h))
if self.Packages != None:
print "{0}Packages".format(indent)
for p in self.Packages:
print "{0} {1}".format(indent, p)
if self.Password != None:
print "{0}Password: {1}".format(indent, self.Password)
print "Debug: "
print dump(self.Text, 16, 16)
def Print(self, indent=""):
if self.KerberosNewerKeys != None:
print "{0}Kerberos newer keys".format(indent)
self.KerberosNewerKeys.Print(indent + " ")
if self.KerberosKeys != None:
print "{0}Kerberos keys".format(indent)
self.KerberosKeys.Print(indent + " ")
if self.WDigestHashes != None:
print "{0}WDigest hashes".format(indent)
for h in self.WDigestHashes:
print "{0} {1}".format(indent, hexlify(h))
if self.Packages != None:
print "{0}Packages".format(indent)
for p in self.Packages:
print "{0} {1}".format(indent, p)
if self.Password != None:
print "{0}Password: {1}".format(indent, self.Password)
print "Debug: "
print dump(self.Text,16,16)
def ParseUserProperty(self, text, offset):
if len(text[offset:offset + 2]) != 2:
return
NameLength = unpack('H', text[offset:offset + 2])[0]
offset += 2
if len(text[offset:offset + 2]) != 2:
return
ValueLength = unpack('H', text[offset:offset + 2])[0]
offset += 2
if len(text[offset:offset + 2]) != 2:
return
reserved = unpack('H', text[offset:offset + 2])[0]
offset += 2
if len(text[offset:offset + 2]) != 2:
return
Name = text[offset:offset + NameLength].decode('utf-16')
offset += NameLength
if len(text[offset:offset + ValueLength]) != ValueLength:
return
if Name == u"Primary:Kerberos-Newer-Keys":
self.KerberosNewerKeys = self.ParseKerberosNewerKeysPropertyValue(
unhexlify(text[offset:offset + ValueLength]))
elif Name == u"Primary:Kerberos":
self.KerberosKeys = self.ParseKerberosPropertyValue(
unhexlify(text[offset:offset + ValueLength]))
elif Name == u"Primary:WDigest":
self.WDigestHashes = self.ParseWDigestPropertyValue(
unhexlify(text[offset:offset + ValueLength]))
elif Name == u"Packages":
self.Packages = unhexlify(
text[offset:offset +
ValueLength]).decode('utf-16').split("\x00")
elif Name == u"Primary:CLEARTEXT":
try:
self.Password = unicode(
unhexlify(
text[offset:offset +
ValueLength]).decode('utf-16')).encode('utf8')
except:
self.Password = dump(
unhexlify(text[offset:offset + ValueLength]), 16, 16)
else:
print Name
return offset + ValueLength
def ParseUserProperty(self, text, offset):
if len(text[offset : offset + 2]) != 2:
return
NameLength = unpack("H", text[offset : offset + 2])[0]
offset += 2
if len(text[offset : offset + 2]) != 2:
return
ValueLength = unpack("H", text[offset : offset + 2])[0]
offset += 2
if len(text[offset : offset + 2]) != 2:
return
reserved = unpack("H", text[offset : offset + 2])[0]
offset += 2
if len(text[offset : offset + 2]) != 2:
return
Name = text[offset : offset + NameLength].decode("utf-16")
offset += NameLength
if len(text[offset : offset + ValueLength]) != ValueLength:
return
if Name == u"Primary:Kerberos-Newer-Keys":
self.KerberosNewerKeys = self.ParseKerberosNewerKeysPropertyValue(
unhexlify(text[offset : offset + ValueLength])
)
elif Name == u"Primary:Kerberos":
self.KerberosKeys = self.ParseKerberosPropertyValue(unhexlify(text[offset : offset + ValueLength]))
elif Name == u"Primary:WDigest":
self.WDigestHashes = self.ParseWDigestPropertyValue(unhexlify(text[offset : offset + ValueLength]))
elif Name == u"Packages":
self.Packages = unhexlify(text[offset : offset + ValueLength]).decode("utf-16").split("\x00")
elif Name == u"Primary:CLEARTEXT":
try:
self.Password = unicode(unhexlify(text[offset : offset + ValueLength]).decode("utf-16")).encode("utf8")
except:
self.Password = dump(unhexlify(text[offset : offset + ValueLength]), 16, 16)
else:
print Name
return offset + ValueLength
def processComputer(computer):
global csvoutfile
global pwdump
global pwdformat
global pwhdump
global bitldump
global suppcreddump
sys.stdout.write(str(computer))
# The main computer record
if csvoutfile != "":
write_csv([
computer.RecordId, computer.Name, computer.DNSHostName,
str(computer.GUID),
str(computer.SID), computer.OSName, computer.OSVersion,
dsGetDSTimeStampStr(computer.WhenCreated),
dsGetDSTimeStampStr(computer.WhenChanged), "", "", "", "", "", "",
str(computer.DialInAccessPermission)
])
if pwdump == True:
sys.stdout.write("\nPassword hashes:")
(lm, nt) = computer.getPasswordHashes()
if nt != '':
if pwdformat == 'john':
sys.stdout.write(
"\n\t" +
format_john(computer.Name, computer.SID, nt, 'NT'))
ntof.writelines(
format_john(computer.Name, computer.SID, nt, 'NT') + "\n")
if lm != '':
if pwdformat == 'john':
sys.stdout.write(
"\n\t" +
format_john(computer.Name, computer.SID, lm, 'LM'))
lmof.writelines(
format_john(computer.Name, computer.SID, lm, 'LM') +
"\n")
if pwdformat == 'ophc':
sys.stdout.write(
"\n\t" +
format_ophc(computer.Name, computer.SID, lm, nt))
ntof.writelines(
format_ophc(computer.Name, computer.SID, lm, nt) +
"\n")
if pwhdump == True:
sys.stdout.write("\nPassword history:")
lmhistory = None
nthistory = None
(lmhistory, nthistory) = computer.getPasswordHistory()
if nthistory != None:
if pwdformat == 'john':
hashid = 0
for nthash in nthistory:
sys.stdout.write(
"\n\t" +
format_john(computer.Name + "_nthistory" +
str(hashid), computer.SID, nthash, 'NT'))
ntof.writelines(
format_john(computer.Name + "_nthistory" +
str(hashid), nthash, computer.SID, 'NT') +
"\n")
hashid += 1
if lmhistory != None:
hashid = 0
for lmhash in lmhistory:
sys.stdout.write("\n\t" + format_john(
computer.Name + "_lmhistory" +
str(hashid), computer.SID, lmhash, 'LM'))
lmof.writelines(
format_john(
computer.Name + "_lmhistory" +
str(hashid), computer.SID, lmhash, 'LM') +
"\n")
hashid += 1
if pwdformat == 'ophc':
if lmhistory != None:
for hashid in range(0, len(lmhistory)):
sys.stdout.write("\n\t" + format_ophc(
computer.Name + "_history" + str(hashid), computer.
SID, lmhistory[hashid], nthistory[hashid]))
ntof.writelines(
format_ophc(
computer.Name + "_history" +
str(hashid), computer.SID, lmhistory[hashid],
nthistory[hashid]) + "\n")
if bitldump == True:
sys.stdout.write("\nRecovery information:")
for rinfo in computer.getRecoveryInformations(db):
sys.stdout.write("\n\t" + rinfo.Name)
sys.stdout.write("\n\tRecovery GUID: " + str(rinfo.RecoveryGUID))
sys.stdout.write("\n\tVolume GUID: " + str(rinfo.VolumeGUID))
sys.stdout.write("\n\tCreated: " +
dsGetDSTimeStampStr(rinfo.WhenCreated))
sys.stdout.write("\n\tChanged: " +
dsGetDSTimeStampStr(rinfo.WhenChanged))
sys.stdout.write("\n\tRecovery password: "******"\n\tFVE Key package:\n" +
dump(unhexlify(rinfo.FVEKeyPackage), 16, 16))
sys.stdout.write("\n\n")
if csvoutfile != "":
write_csv([
computer.RecordId, computer.Name, computer.DNSHostName,
str(computer.GUID),
str(computer.SID), computer.OSName, computer.OSVersion,
dsGetDSTimeStampStr(computer.WhenCreated),
dsGetDSTimeStampStr(computer.WhenChanged), rinfo.Name,
str(rinfo.RecoveryGUID),
str(rinfo.VolumeGUID),
dsGetDSTimeStampStr(rinfo.WhenCreated),
dsGetDSTimeStampStr(rinfo.WhenChanged),
rinfo.RecoveryPassword
])
if suppcreddump == True:
creds = None
creds = computer.getSupplementalCredentials()
if creds != None:
sys.stdout.write("\nSupplemental credentials:\n")
creds.Print(" ")
sys.stdout.write("\n")
sys.stdout.flush()
def processUser(user):
sys.stdout.write(str(user))
sys.stdout.flush()
str_anc = ""
str_uac = ""
if csvoutfile != "":
for uac in user.getUserAccountControl():
str_uac = str_uac + uac + "|"
for ancestor in user.getAncestors(db):
str_anc = str_anc + ancestor.Name + "|"
if csvoutfile != "":
write_csv([user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName,
user.getSAMAccountType(), str(user.GUID), str(user.SID),
dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged),
dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet),
dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp),
dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc,
str(user.DialInAccessPermission), "", "", "", ""
])
if pwdump == True:
sys.stdout.write("\nPassword hashes:")
(lm, nt) = user.getPasswordHashes()
if nt != '':
if pwdformat == 'john':
sys.stdout.write("\n\t" + format_john(user.SAMAccountName,str(user.SID),nt,'NT'))
ntof.writelines(format_john(user.SAMAccountName, str(user.SID), nt, 'NT') + "\n")
if lm != '':
if pwdformat == 'john':
sys.stdout.write("\n\t" + format_john(user.SAMAccountName,str(user.SID),lm,'LM'))
lmof.writelines(format_john(user.SAMAccountName, str(user.SID), lm, 'LM') + "\n")
if pwdformat == 'ocl':
sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName, lm))
lmof.writelines(format_ocl(user.SAMAccountName, lm) + "\n")
if pwdformat == 'ophc':
if lm != '':
sys.stdout.write("\n\t" + format_ophc(user.SAMAccountName,str(user.SID),lm,nt))
ntof.writelines(format_ophc(user.SAMAccountName, str(user.SID), lm, nt) + "\n")
else:
sys.stdout.write("\n\t" + format_ophc(user.SAMAccountName,str(user.SID),"",nt))
ntof.writelines(format_ophc(user.SAMAccountName, str(user.SID), "", nt) + "\n")
if pwdformat == 'ocl':
sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName, nt))
ntof.writelines(format_ocl(user.SAMAccountName, nt) + "\n")
if pwhdump == True:
sys.stdout.write("\nPassword history:")
lmhistory = None
nthistory = None
(lmhistory, nthistory) = user.getPasswordHistory()
if nthistory != None:
if pwdformat == 'john':
hashid = 0
for nthash in nthistory:
sys.stdout.write("\n\t" + format_john(user.SAMAccountName + "_nthistory" + str(hashid), str(user.SID), nthash, 'NT'))
ntof.writelines(format_john(user.SAMAccountName + "_nthistory" + str(hashid), str(user.SID), nthash, 'NT') + "\n")
hashid += 1
if lmhistory != None:
hashid = 0
for lmhash in lmhistory:
sys.stdout.write("\n\t" + format_john(user.SAMAccountName + "_lmhistory" + str(hashid), str(user.SID), lmhash, 'LM'))
lmof.writelines(format_john(user.SAMAccountName + "_lmhistory" + str(hashid), str(user.SID), lmhash, 'LM') + "\n")
hashid += 1
if pwdformat == 'ocl':
hashid = 0
for nthash in nthistory:
sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName + "_nthistory" + str(hashid), nthash))
ntof.writelines(format_ocl(user.SAMAccountName + "_nthistory" + str(hashid), nthash) + "\n")
hashid += 1
if lmhistory != None:
hashid = 0
for lmhash in lmhistory:
sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName + "_lmhistory" + str(hashid), lmhash))
lmof.writelines(format_ocl(user.SAMAccountName + "_lmhistory" + str(hashid), lmhash) + "\n")
hashid += 1
if pwdformat == 'ophc':
if lmhistory != None:
for hashid in range(0,len(nthistory) - 1):
sys.stdout.write("\n\t" + format_ophc(user.SAMAccountName + "_history" + str(hashid), str(user.SID), lmhistory[hashid], nthistory[hashid]))
ntof.writelines(format_ophc(user.SAMAccountName + "_history" + str(hashid), str(user.SID), lmhistory[hashid], nthistory[hashid]) + "\n")
if certdump == True and user.Certificate != "":
sys.stdout.write("\nCertificate:\n")
sys.stdout.write(dump(user.Certificate,16,16))
if suppcreddump == True:
creds = None
creds = user.getSupplementalCredentials()
if creds != None:
sys.stdout.write("\nSupplemental credentials:\n")
creds.Print(" ")
if grpdump == True:
sys.stdout.write("\nMember of:")
if user.PrimaryGroupID != -1:
for g in groups:
if g.SID.RID == user.PrimaryGroupID:
if csvoutfile != "":
write_csv([user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName,
user.getSAMAccountType(), str(user.GUID), str(user.SID),
dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged),
dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet),
dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp),
dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc,
str(user.DialInAccessPermission), g.Name, str(g.SID), "Y", ""
])
sys.stdout.write("\n\t%s (%s) (P)" % (g.Name, str(g.SID)))
grouplist = user.getMemberOf()
for groupdata in grouplist:
(groupid, deltime) = groupdata
group = None
try:
group = dsGroup(db, groupid)
except:
sys.stderr.write("\n[!] Unable to instantiate group object (record id: %d)" % groupid)
continue
if deltime == -1:
if csvoutfile != "":
write_csv([user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName,
user.getSAMAccountType(), str(user.GUID), str(user.SID),
dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged),
dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet),
dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp),
dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc,
str(user.DialInAccessPermission), group.Name, str(group.SID), "N", ""
])
sys.stdout.write("\n\t%s (%s)" % (group.Name, group.SID))
else:
if csvoutfile != "":
write_csv([user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName,
user.getSAMAccountType(), str(user.GUID), str(user.SID),
dsGetDSTimeStampStr(user.WhenCreated), dsGetDSTimeStampStr(user.WhenChanged),
dsGetDSTimeStampStr(user.AccountExpires), dsGetDSTimeStampStr(user.PasswordLastSet),
dsGetDSTimeStampStr(user.LastLogon), dsGetDSTimeStampStr(user.LastLogonTimeStamp),
dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount, user.BadPwdCount, str_uac, str_anc,
str(user.DialInAccessPermission), group.Name, str(group.SID), "Y", dsGetDSTimeStampStr(dsConvertToDSTimeStamp(deltime))
])
sys.stdout.write("\n\t%s (%s) - Deleted: %s" % (group.Name, group.SID,
dsGetDSTimeStampStr(dsConvertToDSTimeStamp(deltime))))
sys.stdout.write("\n")
sys.stdout.flush()
def processComputer(computer):
global csvoutfile
global pwdump
global pwdformat
global pwhdump
global bitldump
global suppcreddump
sys.stdout.write(str(computer))
# The main computer record
if csvoutfile != "":
write_csv([computer.RecordId, computer.Name, computer.DNSHostName, str(computer.GUID),
str(computer.SID), computer.OSName, computer.OSVersion,
"=\"" + dsGetDSTimeStampStr(computer.WhenCreated) + "\"", "=\"" + dsGetDSTimeStampStr(computer.WhenChanged) + "\"",
"", "", "", "", "", "", str(computer.DialInAccessPermission)
])
if pwdump == True:
sys.stdout.write("\nPassword hashes:")
(lm, nt) = computer.getPasswordHashes()
if nt != '':
if pwdformat == 'john':
sys.stdout.write("\n\t" + format_john(computer.Name,computer.SID,nt,'NT'))
ntof.writelines(format_john(computer.Name, computer.SID, nt, 'NT') + "\n")
if lm != '':
if pwdformat == 'john':
sys.stdout.write("\n\t" + format_john(computer.Name,computer.SID,lm,'LM'))
lmof.writelines(format_john(computer.Name, computer.SID, lm, 'LM') + "\n")
if pwdformat == 'ophc':
sys.stdout.write("\n\t" + format_ophc(computer.Name,computer.SID, lm, nt))
ntof.writelines(format_ophc(computer.Name,computer.SID, lm, nt) + "\n")
if pwhdump == True:
sys.stdout.write("\nPassword history:")
lmhistory = None
nthistory = None
(lmhistory, nthistory) = computer.getPasswordHistory()
if nthistory != None:
if pwdformat == 'john':
hashid = 0
for nthash in nthistory:
sys.stdout.write("\n\t" + format_john(computer.Name + "_nthistory" + str(hashid),computer.SID, nthash, 'NT'))
ntof.writelines(format_john(computer.Name + "_nthistory" + str(hashid), nthash,computer.SID, 'NT') + "\n")
hashid += 1
if lmhistory != None:
hashid = 0
for lmhash in lmhistory:
sys.stdout.write("\n\t" + format_john(computer.Name + "_lmhistory" + str(hashid),computer.SID, lmhash, 'LM'))
lmof.writelines(format_john(computer.Name + "_lmhistory" + str(hashid),computer.SID, lmhash, 'LM') + "\n")
hashid += 1
if pwdformat == 'ophc':
if lmhistory != None:
for hashid in range(0,len(lmhistory)):
sys.stdout.write("\n\t" + format_ophc(computer.Name + "_history" + str(hashid),computer.SID, lmhistory[hashid], nthistory[hashid]))
ntof.writelines(format_ophc(computer.Name + "_history" + str(hashid), computer.SID, lmhistory[hashid], nthistory[hashid]) + "\n")
if bitldump == True:
sys.stdout.write("\nRecovery information:")
for rinfo in computer.getRecoveryInformations(db):
sys.stdout.write("\n\t" + rinfo.Name)
sys.stdout.write("\n\tRecovery GUID: " + str(rinfo.RecoveryGUID))
sys.stdout.write("\n\tVolume GUID: " + str(rinfo.VolumeGUID))
sys.stdout.write("\n\tWhen created: " + dsGetDSTimeStampStr(rinfo.WhenCreated))
sys.stdout.write("\n\tWhen changed: " + dsGetDSTimeStampStr(rinfo.WhenChanged))
sys.stdout.write("\n\tRecovery password: "******"\n\tFVE Key package:\n" + dump(unhexlify(rinfo.FVEKeyPackage),16, 16))
sys.stdout.write("\n\n")
if csvoutfile != "":
write_csv([computer.RecordId, computer.Name, computer.DNSHostName, str(computer.GUID),
str(computer.SID), computer.OSName, computer.OSVersion,
"=\"" + dsGetDSTimeStampStr(computer.WhenCreated) + "\"", "=\"" + dsGetDSTimeStampStr(computer.WhenChanged) + "\"",
rinfo.Name, str(rinfo.RecoveryGUID), str(rinfo.VolumeGUID), "=\"" + dsGetDSTimeStampStr(rinfo.WhenCreated) + "\"",
"=\"" +dsGetDSTimeStampStr(rinfo.WhenChanged) + "\"", rinfo.RecoveryPassword
])
if suppcreddump == True:
creds = None
creds = computer.getSupplementalCredentials()
if creds != None:
sys.stdout.write("\nSupplemental credentials:\n")
creds.Print(" ")
sys.stdout.write("\n")
sys.stdout.flush()
(pagesize, ) = unpack('I', header[236:240])
(wmajorversion, ) = unpack('I', header[216:220])
(wminorversion, ) = unpack('I', header[220:224])
(wbuildnumber, ) = unpack('I', header[224:228])
(wservicepack, ) = unpack('I', header[228:232])
print "Header checksum: %s" % hexlify(header[:4][::-1])
print "Signature: %s" % hexlify(header[4:8][::-1])
print "File format version: %s" % hexlify(header[8:12][::-1])
print "File type: %s" % hexlify(header[12:16][::-1])
print "Page size: %d bytes" % pagesize
print "DB time: %s" % hexlify(header[16:24][::-1])
print "Windows version: %d.%d (%d) Service pack %d" % (
wmajorversion, wminorversion, wbuildnumber, wservicepack)
print "Creation time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(
header[24:52][4:12])
print "Attach time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(
header[72:80])
if unpack("B", header[88:96][:1]) == (0, ):
print "Detach time: database is in dirty state"
else:
print "Detach time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(
header[88:96])
print "Consistent time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(
header[64:72])
print "Recovery time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(
header[244:252])
print "Header dump (first 672 bytes):"
print dump(header[:672], 16, 4)
f.close()
(pagesize, ) = unpack('I', header[236:240])
(wmajorversion, ) = unpack('I', header[216:220])
(wminorversion, ) = unpack('I', header[220:224])
(wbuildnumber, ) = unpack('I', header[224:228])
(wservicepack, ) = unpack('I', header[228:232])
print "Header checksum: %s" % hexlify(header[:4][::-1])
print "Signature: %s" % hexlify(header[4:8][::-1])
print "File format version: %s" % hexlify(header[8:12][::-1])
print "File type: %s" % hexlify(header[12:16][::-1])
print "Page size: %d bytes" % pagesize
print "DB time: %s" % hexlify(header[16:24][::-1])
print "Windows version: %d.%d (%d) Service pack %d" % (
wmajorversion,
wminorversion,
wbuildnumber,
wservicepack
)
print "Creation time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[24:52][4:12])
print "Attach time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[72:80])
if unpack("B", header[88:96][:1]) == (0, ):
print "Detach time: database is in dirty state"
else:
print "Detach time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[88:96])
print "Consistent time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[64:72])
print "Recovery time: %04d.%02d.%02d %02d:%02d:%02d" % dsGetDBLogTimeStampStr(header[244:252])
print "Header dump (first 672 bytes):"
print dump(header[:672], 16, 4)
f.close()
def processUser(user):
sys.stdout.write(str(user))
sys.stdout.flush()
str_anc = ""
str_uac = ""
if csvoutfile != "":
for uac in user.getUserAccountControl():
str_uac = str_uac + uac + "|"
for ancestor in user.getAncestors(db):
str_anc = str_anc + ancestor.Name + "|"
if csvoutfile != "":
write_csv([
user.RecordId, user.Name, user.PrincipalName, user.SAMAccountName,
user.getSAMAccountType(),
str(user.GUID),
str(user.SID),
dsGetDSTimeStampStr(user.WhenCreated),
dsGetDSTimeStampStr(user.WhenChanged),
dsGetDSTimeStampStr(user.AccountExpires),
dsGetDSTimeStampStr(user.PasswordLastSet),
dsGetDSTimeStampStr(user.LastLogon),
dsGetDSTimeStampStr(user.LastLogonTimeStamp),
dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount,
user.BadPwdCount, str_uac, str_anc,
str(user.DialInAccessPermission), "", "", "", ""
])
if pwdump == True:
sys.stdout.write("\nPassword hashes:")
(lm, nt) = user.getPasswordHashes()
if nt != '':
if pwdformat == 'john':
sys.stdout.write(
"\n\t" +
format_john(user.SAMAccountName, str(user.SID), nt, 'NT'))
ntof.writelines(
format_john(user.SAMAccountName, str(user.SID), nt, 'NT') +
"\n")
if lm != '':
if pwdformat == 'john':
sys.stdout.write("\n\t" + format_john(
user.SAMAccountName, str(user.SID), lm, 'LM'))
lmof.writelines(
format_john(user.SAMAccountName, str(user.SID), lm,
'LM') + "\n")
if pwdformat == 'ocl':
sys.stdout.write("\n\t" +
format_ocl(user.SAMAccountName, lm))
lmof.writelines(format_ocl(user.SAMAccountName, lm) + "\n")
if pwdformat == 'ophc':
if lm != '':
sys.stdout.write("\n\t" + format_ophc(
user.SAMAccountName, str(user.SID), lm, nt))
ntof.writelines(
format_ophc(user.SAMAccountName, str(user.SID), lm, nt)
+ "\n")
else:
sys.stdout.write("\n\t" + format_ophc(
user.SAMAccountName, str(user.SID), "", nt))
ntof.writelines(
format_ophc(user.SAMAccountName, str(user.SID), "", nt)
+ "\n")
if pwdformat == 'ocl':
sys.stdout.write("\n\t" + format_ocl(user.SAMAccountName, nt))
ntof.writelines(format_ocl(user.SAMAccountName, nt) + "\n")
if pwhdump == True:
sys.stdout.write("\nPassword history:")
lmhistory = None
nthistory = None
(lmhistory, nthistory) = user.getPasswordHistory()
if nthistory != None:
if pwdformat == 'john':
hashid = 0
for nthash in nthistory:
sys.stdout.write("\n\t" + format_john(
user.SAMAccountName + "_nthistory" +
str(hashid), str(user.SID), nthash, 'NT'))
ntof.writelines(
format_john(
user.SAMAccountName + "_nthistory" +
str(hashid), str(user.SID), nthash, 'NT') + "\n")
hashid += 1
if lmhistory != None:
hashid = 0
for lmhash in lmhistory:
sys.stdout.write("\n\t" + format_john(
user.SAMAccountName + "_lmhistory" +
str(hashid), str(user.SID), lmhash, 'LM'))
lmof.writelines(
format_john(
user.SAMAccountName + "_lmhistory" +
str(hashid), str(user.SID), lmhash, 'LM') +
"\n")
hashid += 1
if pwdformat == 'ocl':
hashid = 0
for nthash in nthistory:
sys.stdout.write("\n\t" + format_ocl(
user.SAMAccountName + "_nthistory" +
str(hashid), nthash))
ntof.writelines(
format_ocl(
user.SAMAccountName + "_nthistory" +
str(hashid), nthash) + "\n")
hashid += 1
if lmhistory != None:
hashid = 0
for lmhash in lmhistory:
sys.stdout.write("\n\t" + format_ocl(
user.SAMAccountName + "_lmhistory" +
str(hashid), lmhash))
lmof.writelines(
format_ocl(
user.SAMAccountName + "_lmhistory" +
str(hashid), lmhash) + "\n")
hashid += 1
if pwdformat == 'ophc':
if lmhistory != None:
for hashid in range(0, len(nthistory) - 1):
sys.stdout.write("\n\t" + format_ophc(
user.SAMAccountName + "_history" +
str(hashid), str(user.SID), lmhistory[hashid],
nthistory[hashid]))
ntof.writelines(
format_ophc(
user.SAMAccountName + "_history" +
str(hashid), str(user.SID), lmhistory[hashid],
nthistory[hashid]) + "\n")
if certdump == True and user.Certificate != "":
sys.stdout.write("\nCertificate:\n")
sys.stdout.write(dump(user.Certificate, 16, 16))
if suppcreddump == True:
creds = None
creds = user.getSupplementalCredentials()
if creds != None:
sys.stdout.write("\nSupplemental credentials:\n")
creds.Print(" ")
if grpdump == True:
sys.stdout.write("\nMember of:")
if user.PrimaryGroupID != -1:
for g in groups:
if g.SID.RID == user.PrimaryGroupID:
if csvoutfile != "":
write_csv([
user.RecordId, user.Name, user.PrincipalName,
user.SAMAccountName,
user.getSAMAccountType(),
str(user.GUID),
str(user.SID),
dsGetDSTimeStampStr(user.WhenCreated),
dsGetDSTimeStampStr(user.WhenChanged),
dsGetDSTimeStampStr(user.AccountExpires),
dsGetDSTimeStampStr(user.PasswordLastSet),
dsGetDSTimeStampStr(user.LastLogon),
dsGetDSTimeStampStr(user.LastLogonTimeStamp),
dsGetDSTimeStampStr(user.BadPwdTime),
user.LogonCount, user.BadPwdCount, str_uac,
str_anc,
str(user.DialInAccessPermission), g.Name,
str(g.SID), "Y", ""
])
sys.stdout.write("\n\t%s (%s) (P)" % (g.Name, str(g.SID)))
grouplist = user.getMemberOf()
for groupdata in grouplist:
(groupid, deltime) = groupdata
group = None
try:
group = dsGroup(db, groupid)
except:
sys.stderr.write(
"\n[!] Unable to instantiate group object (record id: %d)"
% groupid)
continue
if deltime == -1:
if csvoutfile != "":
write_csv([
user.RecordId, user.Name, user.PrincipalName,
user.SAMAccountName,
user.getSAMAccountType(),
str(user.GUID),
str(user.SID),
dsGetDSTimeStampStr(user.WhenCreated),
dsGetDSTimeStampStr(user.WhenChanged),
dsGetDSTimeStampStr(user.AccountExpires),
dsGetDSTimeStampStr(user.PasswordLastSet),
dsGetDSTimeStampStr(user.LastLogon),
dsGetDSTimeStampStr(user.LastLogonTimeStamp),
dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount,
user.BadPwdCount, str_uac, str_anc,
str(user.DialInAccessPermission), group.Name,
str(group.SID), "N", ""
])
sys.stdout.write("\n\t%s (%s)" % (group.Name, group.SID))
else:
if csvoutfile != "":
write_csv([
user.RecordId, user.Name, user.PrincipalName,
user.SAMAccountName,
user.getSAMAccountType(),
str(user.GUID),
str(user.SID),
dsGetDSTimeStampStr(user.WhenCreated),
dsGetDSTimeStampStr(user.WhenChanged),
dsGetDSTimeStampStr(user.AccountExpires),
dsGetDSTimeStampStr(user.PasswordLastSet),
dsGetDSTimeStampStr(user.LastLogon),
dsGetDSTimeStampStr(user.LastLogonTimeStamp),
dsGetDSTimeStampStr(user.BadPwdTime), user.LogonCount,
user.BadPwdCount, str_uac, str_anc,
str(user.DialInAccessPermission), group.Name,
str(group.SID), "Y",
dsGetDSTimeStampStr(dsConvertToDSTimeStamp(deltime))
])
sys.stdout.write(
"\n\t%s (%s) - Deleted: %s" %
(group.Name, group.SID,
dsGetDSTimeStampStr(dsConvertToDSTimeStamp(deltime))))
sys.stdout.write("\n")
sys.stdout.flush()
